Govt to develop own operating system

The Times of India reported yesterday of an initiative launched by the India government to develop its own operating system.

The government formed a high-level taskforce in February to devise a plan for building indigenous software, said a senior intelligence official who is a member. The panel will also suggest ways to conduct third-party audits on existing software in government offices to prevent online sabotage attempts until the software’s launch, he said.

While the details are sketchy and confusing, starting from the fact that there is more reference to “software” than operating system, it looks like the plan is to build an indigenous OS that can be used by government officials, starting from an open source OS out there. No further details are available on whether it will be BSD or Linux based.

This is a very encouraging step in the right direction though not without potential pitfalls.

For an OS to be secure and useful it has to get to a maturity level that is hard to reach. It remains to be seen how many of the government offices would find their way around a Linux distribution, even if it is as intuitive as Ubuntu or others out there.

Starting from an existing OS, while a practical thing to do, is risky in that either the current state of the OS has to be assumed to be secure or a careful meticulous audit has to be carried out to ascertain the security of the code. Given that so many vulnerabilities are being found in Open Source kernels and software, it would be prudent not to assume that they are secure just because they are open source. Of course being open source means that one has at least the option of performing the necessary code analysis.

Another downside of using an open source distribution is that of maintenance and support. Unless a government agency takes it upon itself to maintain the distribution and provide end user support, the move is going to hit a brick wall soon. This point should not be underestimated. A secure OS or a distribution that is not well maintained is just as insecure as any other out there. In addition, given that this OS is meant to be used by a wider non-technical user base that is the government offices, support service will turn out to be very important in the long run. Try explaining SELinux or how to configure it to a layman!

Operating system, though critical, is still only one of the pieces that makes the distribution. The software used within the OS is also critical. Is it not clear if this initiative is aimed at securing general purpose software too.

As the article mentions, regular audits have to be conducted in order to ascertain the security of the infrastructure. Though the content of the article casts a shadow at the anti-virus vendors, it is more likely that the users did not keep the virus signatures up to date than that the vendors had any malicious intent. Of course regular audits will only highlight the problem. The actual task of solving the problem (patching the OS, updating the signatures etc.) still needs to be carried out without delay.

At the end of the day the weakest link is almost always between the keyboard and the chair. Any initiative to secure the software infrastructure has to be accompanied with educating the users of best security practices and do-nots of computer security.

7 Responses to Govt to develop own operating system

Talking about open source OS, I don’t know if this is relevant but have a look at http://www.bosslinux.in. The OS has been developed entirely by CDAC under Ministry of IT. I think they can consider customizing the same OS to fit their needs :) .

Why is building one’s own OS a step in the right direction? What do you believe Govt. of India can accomplish that years of security research has not. I don’t see our Govt. or any other Govt. for that matter having special resources beyond what exists in the real world. Don’t see how a Govt. that cannot even implement its civil programs efficiently and without corruption can implement a secure OS, whatever that means.

Sorry for being a bit abrasive, but I just couldn’t accept your suggestion. I think absolute security is impossible to achieve and whatever progress we can make in securing our systems needs to come from myriad sources and people all over the world. A govt. with a closed and limited system cannot quite do what millions of independent hackers, security analysts, and researchers can.

@Vishnu: Thanks for the link, interesting development. Seems to be based on Debian, which is good (see response to Rama below).

@Anirudh Yes indeed a TCSEC like model would indeed be necessary to serve all the various security levels/classes. However, a single OS/distribution will not be able to cover all the classes. The aim should be to come up with an OS that at least has the “Discretionary protection” level for generic use within any government institution.

@Rama: I am definitely not advocating building an OS from scratch. That would indeed be a foolish endeavour. As you said “govt. with a closed and limited system cannot quite do what millions of independent hackers, security analysts, and researchers can”. What I would want the govt. to do would be to work on an existing OS that has security as one of its main concerns (not just lip service) and do an audit of the existing code base to ensure we know what we are “inheriting”. This way we will also be able to leverage on any patches etc. that are being produced etc.